cvelistv5 - cve-2020-6265

CVE-2020-6265 (GCVE-0-2020-6265)

Vulnerability from cvelistv5 – Published: 2020-06-09 18:24 – Updated: 2024-08-04 08:55

Summary

SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-798

Assigner

sap

References

URL

Tags

	https://launchpad.support.sap.com/#/notes/2918924	x_refsource_MISC
	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC

Impacted products

Vendor

Product

Version

SAP SE

SAP Commerce

Affected: < 6.7
Affected: < 1808
Affected: < 1811
Affected: < 1905

SAP SE

SAP Commerce (Data Hub)

Affected: < 6.7
Affected: < 1808
Affected: < 1811
Affected: < 1905

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:55:22.177Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/2918924"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP Commerce",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.7"
            },
            {
              "status": "affected",
              "version": "\u003c 1808"
            },
            {
              "status": "affected",
              "version": "\u003c 1811"
            },
            {
              "status": "affected",
              "version": "\u003c 1905"
            }
          ]
        },
        {
          "product": "SAP Commerce (Data Hub)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.7"
            },
            {
              "status": "affected",
              "version": "\u003c 1808"
            },
            {
              "status": "affected",
              "version": "\u003c 1811"
            },
            {
              "status": "affected",
              "version": "\u003c 1905"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-09T18:24:14",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/2918924"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2020-6265",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP Commerce",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "6.7"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "1808"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "1811"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "1905"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SAP Commerce (Data Hub)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "6.7"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "1808"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "1811"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "1905"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": "9.8",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/2918924",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/2918924"
            },
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2020-6265",
    "datePublished": "2020-06-09T18:24:14",
    "dateReserved": "2020-01-08T00:00:00",
    "dateUpdated": "2024-08-04T08:55:22.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:6.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"20B6F0DE-3989-47FD-97F0-2F52245D57A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:1808:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F352D085-2B1E-44A9-81C6-2E1F5C249AB4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:1811:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"27A12336-30BA-439D-A3F2-B7D93D5B52DC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce:1905:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F665F648-5C35-4EC8-8064-8ED139C8813C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_data_hub:6.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"99ACEB84-0AEB-438D-93BB-4CE4CC5047DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_data_hub:1808:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7595660F-77F1-4512-B9C9-596F513E8DFC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_data_hub:1811:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"623BF378-FA6E-4110-818A-B4E69F3071B7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:commerce_data_hub:1905:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F7D9F96-93D8-42EE-83B4-0B2AB8800923\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.\"}, {\"lang\": \"es\", \"value\": \"SAP Commerce, versiones - 6.7, 1808, 1811, 1905, y SAP Commerce (Data Hub), versiones - 6.7, 1808, 1811, 1905, permite a un atacante omitir una autenticaci\\u00f3n y/o autorizaci\\u00f3n configurada por el administrador del sistema debido al uso de Credenciales Embebidas\"}]",
      "id": "CVE-2020-6265",
      "lastModified": "2024-11-21T05:35:24.363",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV30\": [{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-09T19:15:10.543",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/2918924\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2918924\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@sap.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-798\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-6265\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2020-06-09T19:15:10.543\",\"lastModified\":\"2024-11-21T05:35:24.363\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.\"},{\"lang\":\"es\",\"value\":\"SAP Commerce, versiones - 6.7, 1808, 1811, 1905, y SAP Commerce (Data Hub), versiones - 6.7, 1808, 1811, 1905, permite a un atacante omitir una autenticaci\u00f3n y/o autorizaci\u00f3n configurada por el administrador del sistema debido al uso de Credenciales Embebidas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:6.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"20B6F0DE-3989-47FD-97F0-2F52245D57A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:1808:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F352D085-2B1E-44A9-81C6-2E1F5C249AB4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:1811:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"27A12336-30BA-439D-A3F2-B7D93D5B52DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce:1905:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F665F648-5C35-4EC8-8064-8ED139C8813C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_data_hub:6.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99ACEB84-0AEB-438D-93BB-4CE4CC5047DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_data_hub:1808:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7595660F-77F1-4512-B9C9-596F513E8DFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_data_hub:1811:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"623BF378-FA6E-4110-818A-B4E69F3071B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:commerce_data_hub:1905:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F7D9F96-93D8-42EE-83B4-0B2AB8800923\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/2918924\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/2918924\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2020-AVI-350

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP SuccessFactors Recruiting version 2005
SAP	N/A	SAP Solution Manager (Problem Context Manager) version 7.2
SAP	N/A	SAP Liquidity Management for Banking version 6.2
SAP	N/A	.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104
SAP	N/A	SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905
SAP	N/A	SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500
SAP	N/A	SAP Business Objects Business Intelligence Platform version 4.2
SAP	N/A	SAP Gateway versions 7.40 et 2.00
SAP	N/A	SAP Business One (Backup service) versions 9.3,et 10.0
SAP	N/A	SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E
SAP	N/A	SAP Gateway versions 7.5, 7.51, 7.52 et 7.53
SAP	N/A	SAP Solution Manager (Trace Analysis) version 7.20
SAP	N/A	SAP Commerce versions 6.7, 1808, 1811 et 1905
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 547426775 du 09 juin 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP SuccessFactors Recruiting version 2005",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Problem Context Manager) version 7.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Liquidity Management for Banking version 6.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": ".30, 7.31, 7.40 et 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Objects Business Intelligence Platform version 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.40 et 2.00",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business One (Backup service) versions 9.3,et 10.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.5, 7.51, 7.52 et 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Trace Analysis) version 7.20",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-6266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6266"
    },
    {
      "name": "CVE-2020-6246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6246"
    },
    {
      "name": "CVE-2020-6263",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6263"
    },
    {
      "name": "CVE-2020-6271",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6271"
    },
    {
      "name": "CVE-2019-17571",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571"
    },
    {
      "name": "CVE-2020-6268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6268"
    },
    {
      "name": "CVE-2019-0319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0319"
    },
    {
      "name": "CVE-2020-6264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6264"
    },
    {
      "name": "CVE-2020-6279",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6279"
    },
    {
      "name": "CVE-2020-6269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6269"
    },
    {
      "name": "CVE-2020-6270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6270"
    },
    {
      "name": "CVE-2020-1938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1938"
    },
    {
      "name": "CVE-2020-6239",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6239"
    },
    {
      "name": "CVE-2020-6275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6275"
    },
    {
      "name": "CVE-2020-6260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6260"
    },
    {
      "name": "CVE-2020-6265",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6265"
    },
    {
      "name": "CVE-2018-1000632",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000632"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-350",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-06-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 547426775 du 09 juin 2020",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ]
}

CERTFR-2020-AVI-350

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754
SAP	N/A	SAP SuccessFactors Recruiting version 2005
SAP	N/A	SAP Solution Manager (Problem Context Manager) version 7.2
SAP	N/A	SAP Liquidity Management for Banking version 6.2
SAP	N/A	.30, 7.31, 7.40 et 7.50
SAP	N/A	SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104
SAP	N/A	SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905
SAP	N/A	SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500
SAP	N/A	SAP Business Objects Business Intelligence Platform version 4.2
SAP	N/A	SAP Gateway versions 7.40 et 2.00
SAP	N/A	SAP Business One (Backup service) versions 9.3,et 10.0
SAP	N/A	SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E
SAP	N/A	SAP Gateway versions 7.5, 7.51, 7.52 et 7.53
SAP	N/A	SAP Solution Manager (Trace Analysis) version 7.20
SAP	N/A	SAP Commerce versions 6.7, 1808, 1811 et 1905
SAP	SAP NetWeaver AS Java	SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,

References

Title

Publication Time

Tags

Bulletin de sécurité SAP 547426775 du 09 juin 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP NetWeaver AS ABAP (Business Server Pages Test Application SBSPEXT_TABLE) versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Netweaver AS ABAP versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753 et 754",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP SuccessFactors Recruiting version 2005",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Problem Context Manager) version 7.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Liquidity Management for Banking version 6.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": ".30, 7.31, 7.40 et 7.50",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP ERP (Statutory Reporting for Insurance Companies) versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618 et 800; S4CORE 101, 102, 103 et 104",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce (Data Hub) versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Fiori pour SAP S/4HANA versions 200, 300, 400 et 500",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business Objects Business Intelligence Platform version 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.40 et 2.00",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Business One (Backup service) versions 9.3,et 10.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS ABAP (Banking Services) versions 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D et 75E",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Gateway versions 7.5, 7.51, 7.52 et 7.53",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Solution Manager (Trace Analysis) version 7.20",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Commerce versions 6.7, 1808, 1811 et 1905",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver AS JAVA (P4 Protocol) versions SAP-JEECOR 7.00 et 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 et 7.50; CORE-TOOLS 7.00, 7.01, 7.02, 7.05, 7.10, 7.11, 7.20,",
      "product": {
        "name": "SAP NetWeaver AS Java",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-6266",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6266"
    },
    {
      "name": "CVE-2020-6246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6246"
    },
    {
      "name": "CVE-2020-6263",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6263"
    },
    {
      "name": "CVE-2020-6271",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6271"
    },
    {
      "name": "CVE-2019-17571",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17571"
    },
    {
      "name": "CVE-2020-6268",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6268"
    },
    {
      "name": "CVE-2019-0319",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-0319"
    },
    {
      "name": "CVE-2020-6264",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6264"
    },
    {
      "name": "CVE-2020-6279",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6279"
    },
    {
      "name": "CVE-2020-6269",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6269"
    },
    {
      "name": "CVE-2020-6270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6270"
    },
    {
      "name": "CVE-2020-1938",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-1938"
    },
    {
      "name": "CVE-2020-6239",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6239"
    },
    {
      "name": "CVE-2020-6275",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6275"
    },
    {
      "name": "CVE-2020-6260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6260"
    },
    {
      "name": "CVE-2020-6265",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-6265"
    },
    {
      "name": "CVE-2018-1000632",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000632"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-350",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-06-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SAP 547426775 du 09 juin 2020",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ]
}

GHSA-CQWC-4M4R-GW28

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-6265"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-09T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.",
  "id": "GHSA-cqwc-4m4r-gw28",
  "modified": "2022-05-24T17:19:38Z",
  "published": "2022-05-24T17:19:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6265"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2918924"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CNVD-2020-35934

Vulnerability from cnvd - Published: 2020-07-01

Title

SAP Commerce信任管理问题漏洞

Description

SAP Commerce是德国思爱普（SAP）公司的一套基于云的电子商务平台。该产支持销售管理、营销管理、订单管理和运营管理等。 SAP Commerce中存在信任管理问题漏洞，该漏洞源于程序使用了硬编码凭证。攻击者可利用该漏洞绕过系统管理员所配置的身份验证和/或授权。

Severity

高

Patch Name

SAP Commerce信任管理问题漏洞的补丁

Patch Description

SAP Commerce是德国思爱普（SAP）公司的一套基于云的电子商务平台。该产支持销售管理、营销管理、订单管理和运营管理等。 SAP Commerce中存在信任管理问题漏洞，该漏洞源于程序使用了硬编码凭证。攻击者可利用该漏洞绕过系统管理员所配置的身份验证和/或授权。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775

Reference

https://vigilance.fr/vulnerability/SAP-multiple-vulnerabilities-of-June-2020-32470

Impacted products

Name
['SAP Commerce 6.7', 'SAP Commerce 1808', 'SAP Commerce 1811', 'SAP Commerce 1905', 'SAP Commerce（Data Hu?） 6.7', 'SAP Commerce（Data Hu?） 1808', 'SAP Commerce（Data Hu?） 1811', 'SAP Commerce（Data Hu?） 1905']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-6265"
    }
  },
  "description": "SAP Commerce\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u4e91\u7684\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\u8be5\u4ea7\u652f\u6301\u9500\u552e\u7ba1\u7406\u3001\u8425\u9500\u7ba1\u7406\u3001\u8ba2\u5355\u7ba1\u7406\u548c\u8fd0\u8425\u7ba1\u7406\u7b49\u3002\n\nSAP Commerce\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u51ed\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u7cfb\u7edf\u7ba1\u7406\u5458\u6240\u914d\u7f6e\u7684\u8eab\u4efd\u9a8c\u8bc1\u548c/\u6216\u6388\u6743\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-35934",
  "openTime": "2020-07-01",
  "patchDescription": "SAP Commerce\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u4e91\u7684\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\u8be5\u4ea7\u652f\u6301\u9500\u552e\u7ba1\u7406\u3001\u8425\u9500\u7ba1\u7406\u3001\u8ba2\u5355\u7ba1\u7406\u548c\u8fd0\u8425\u7ba1\u7406\u7b49\u3002\r\n\r\nSAP Commerce\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u4e86\u786c\u7f16\u7801\u51ed\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u7cfb\u7edf\u7ba1\u7406\u5458\u6240\u914d\u7f6e\u7684\u8eab\u4efd\u9a8c\u8bc1\u548c/\u6216\u6388\u6743\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Commerce\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP Commerce 6.7",
      "SAP Commerce 1808",
      "SAP Commerce 1811",
      "SAP Commerce 1905",
      "SAP Commerce\uff08Data Hu?\uff09 6.7",
      "SAP Commerce\uff08Data Hu?\uff09 1808",
      "SAP Commerce\uff08Data Hu?\uff09 1811",
      "SAP Commerce\uff08Data Hu?\uff09 1905"
    ]
  },
  "referenceLink": "https://vigilance.fr/vulnerability/SAP-multiple-vulnerabilities-of-June-2020-32470",
  "serverity": "\u9ad8",
  "submitTime": "2020-06-10",
  "title": "SAP Commerce\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

GSD-2020-6265

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-6265

Aliases

CVE-2020-6265

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-6265",
    "description": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.",
    "id": "GSD-2020-6265"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-6265"
      ],
      "details": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.",
      "id": "GSD-2020-6265",
      "modified": "2023-12-13T01:21:54.877166Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2020-6265",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP Commerce",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "6.7"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "1808"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "1811"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "1905"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "SAP Commerce (Data Hub)",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "6.7"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "1808"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "1811"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "1905"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials."
          }
        ]
      },
      "impact": {
        "cvss": {
          "baseScore": "9.8",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-798"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://launchpad.support.sap.com/#/notes/2918924",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/2918924"
          },
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:6.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:1808:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:1811:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce:1905:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce_data_hub:6.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce_data_hub:1808:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce_data_hub:1811:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:commerce_data_hub:1905:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2020-6265"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-798"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://launchpad.support.sap.com/#/notes/2918924",
              "refsource": "MISC",
              "tags": [
                "Permissions Required"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2918924"
            },
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-06-15T19:00Z",
      "publishedDate": "2020-06-09T19:15Z"
    }
  }
}

FKIE_CVE-2020-6265

Vulnerability from fkie_nvd - Published: 2020-06-09 19:15 - Updated: 2024-11-21 05:35

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/2918924	Permissions Required
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/2918924	Permissions Required
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	commerce	6.7
sap	commerce	1808
sap	commerce	1811
sap	commerce	1905
sap	commerce_data_hub	6.7
sap	commerce_data_hub	1808
sap	commerce_data_hub	1811
sap	commerce_data_hub	1905

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:commerce:6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "20B6F0DE-3989-47FD-97F0-2F52245D57A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce:1808:*:*:*:*:*:*:*",
              "matchCriteriaId": "F352D085-2B1E-44A9-81C6-2E1F5C249AB4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce:1811:*:*:*:*:*:*:*",
              "matchCriteriaId": "27A12336-30BA-439D-A3F2-B7D93D5B52DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce:1905:*:*:*:*:*:*:*",
              "matchCriteriaId": "F665F648-5C35-4EC8-8064-8ED139C8813C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce_data_hub:6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "99ACEB84-0AEB-438D-93BB-4CE4CC5047DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce_data_hub:1808:*:*:*:*:*:*:*",
              "matchCriteriaId": "7595660F-77F1-4512-B9C9-596F513E8DFC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce_data_hub:1811:*:*:*:*:*:*:*",
              "matchCriteriaId": "623BF378-FA6E-4110-818A-B4E69F3071B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:commerce_data_hub:1905:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F7D9F96-93D8-42EE-83B4-0B2AB8800923",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials."
    },
    {
      "lang": "es",
      "value": "SAP Commerce, versiones - 6.7, 1808, 1811, 1905, y SAP Commerce (Data Hub), versiones - 6.7, 1808, 1811, 1905, permite a un atacante omitir una autenticaci\u00f3n y/o autorizaci\u00f3n configurada por el administrador del sistema debido al uso de Credenciales Embebidas"
    }
  ],
  "id": "CVE-2020-6265",
  "lastModified": "2024-11-21T05:35:24.363",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-09T19:15:10.543",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2918924"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2918924"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-6265 (GCVE-0-2020-6265)

CERTFR-2020-AVI-350

Solution

CERTFR-2020-AVI-350

Solution

GHSA-CQWC-4M4R-GW28

CNVD-2020-35934

GSD-2020-6265

FKIE_CVE-2020-6265

Tags

Sightings

Nomenclature